Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Web cache poisoning with an unkeyed header lab not finishing

Bjartur | Last updated: Dec 10, 2023 11:08AM UTC

Hello, It seems that I have successfully finished the lab but it is not getting marked as completed. I suspect the issue is that the alert only appears when I have the proxy enabled. However, I tried resetting and followed the steps in the video exactly but still the same issue. Even in the video he has the proxy enabled and it gets marked completed. I am doing alert(document.cookie) on my exploit server. This is a screen recording of what's happening: https://imgur.com/gvR1eCf Any idea what's going on here? I have been trying for an hour.

Dominyque, PortSwigger Agent | Last updated: Dec 11, 2023 08:35AM UTC

Hi Bjartur Out of curiosity, do you experience the same issue if you use the embedded browser to complete the lab?

Bjartur | Last updated: Dec 11, 2023 06:41PM UTC

It does work on the Burp browser, but the lab doesn't complete.

Dominyque, PortSwigger Agent | Last updated: Dec 12, 2023 08:59AM UTC

Hi Bjartur For step 11 in our solution: Send your malicious request. Keep replaying the request until you see your exploit server URL being reflected in the response and X-Cache: hit in the headers In your screen recording, your X-Cache was displaying miss and not hit. Can you attempt the lab again, ensuring the X-Cache displays 'hit' before attempting steps 12 and 13? Please let me know how this goes. 

Bjartur | Last updated: Dec 12, 2023 09:02PM UTC

Hi Dominyque I just tried this again exactly like I've been doing before and it just worked. Not sure what happened here :D The cache did display 'hit' now, but I'm pretty sure it did in previous attempts as well. Oh well, problem solved I guess. Thanks so much for your assistance.

Dominyque, PortSwigger Agent | Last updated: Dec 13, 2023 08:24AM UTC